04-17-2015 08:41 AM
Hi All,
We are in the initial phase of deploying Cisco ASA 5506's to our remote offices for redundant connectivity to our centralized data-center. I am experiencing an issue I have never seen before and I have been working with vpn's for a long time.
The 5525 is running 8.6 and the 5506 is running 9.3.2. In a test environment when I initiate traffic from a the 5506 side, the vpn gets established and there are valid SA's created. However, traffic is never returned and I and Cisco are having a hard time finding the issue leading me to think there is a bug.
Here is what I see:
From the 5506 side, I see the Encaps increase but have 0 decaps. On the 5525 side, I see the encaps and decaps increase. Usually, one side's encaps always equates to the other sides decaps. On the 5525 end, I do see this error in the logs:
ASA-7-710006: ESP request discarded from 5506_public_ip to the 5525_public_ip. Now this would explain why the 5506 has 0 decaps, but after working with Cisco for the past couple of days, we havent been able to identify the cause. He did verify that the configuration is correct, and the a vpn from a location using a 5505 does not have the same issue.
Any help would be appreciated!
04-17-2015 04:15 PM
Hello,
even tho you get ESP packets on 5506 still have 0 decaps?. please get the;
#show mem
#show cpu usa
#show block
of both ASAs
04-20-2015 08:42 AM
01-22-fw-idc# show memory
Free memory: 3257102384 bytes (76%)
Used memory: 1037864912 bytes (24%)
------------- ------------------
Total memory: 4294967296 bytes (100%)
01-22-fw-idc# show cpu usage
CPU utilization for 5 seconds = 4%; 1 minute: 4%; 5 minutes: 4%
01-22-fw-idc# show blocks
SIZE MAX LOW CNT
0 1450 1368 1450
4 400 399 399
80 2044 1916 2043
256 3100 3028 3095
1550 12624 12494 12620
2048 1848 1848 1848
2560 2964 2963 2964
4096 100 100 100
8192 100 100 100
9344 100 100 100
16384 157 157 157
65536 16 16 16
04-20-2015 08:46 AM
Also, when the tunnel is up and I initiate traffic from the 5525 side, I always see:
ESP request discarded message.
I think the 5525 needs a reboot, as I removed the global policy-map, disabled and re-enabled all crypto settings, and also set up a 2nd vpn from the 5506 to another 5525 in our colo. That had no issue and the 5525 have the same code and config.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide